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DETAILED ACTION 

Applicant's Amendments filed 03/31/08 has been entered and carefully 
considered. Claims 8-15 has been canceled. However, the arguments 
regarding rejection under 35. U.S.C 102 to claims (1-7 and 16-31) have 
not been found to be persuasive. Therefore, these claims are rejected 
under the same ground of rejection as set forth in the Office Action 
mailed 08/09/07. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 1 02 that form the basis for the rejections under this section made 
in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent 
or (2) a patent granted on an application for patent by another filed in the United States 
before the invention by the applicant for patent, except that an international application filed 
under the treaty defined in section 351 (a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application 
designated the United States and was published under Article 21(2) of such treaty in the 
English language. 

Claims 1-7 and 16-31 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Ptacek et al. [US. 2005/0005017]. The provisional 
application 60/484,873 has been considered and the following rejection 
is fully supported by the provisional application. 
As to claims 1,18 and 25, Ptacek et al. teach a method of analyzing 
security events, comprising: receiving and processing a stream of 
security events (page 1 , 001 1 ), including grouping the security events 
into network sessions (figure 1), each session having an identified 
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source and destination (figure 3, 318, 322); displaying a graph 
representing devices (figure 1) in a network, the devices including 
security devices (firewall) and non-security devices (disk array), the 
displayed graph including a plurality of individual device symbols and a 
plurality of group device symbols (figure 1, 114-1, 114-2, 114-3...), each 
individual device symbol representing a security device of the network 
and each group device symbol representing a group of non-security 
devices of the network; and displaying in conjunction with the graph 
security incident information, including with respect to a group device 
symbol an incident volume indicator (figure 1, 114-1, 114-2, 114-3...) 
that indicates a number of network sessions whose source or destination 
is at any member of a group of non-security devices corresponding to the 
group device symbol (page 3, 0032-0038). 

As to claims 2, 19 and 26, Ptacek et al. teach upon user selection of a 
group device symbol for a group of non-security devices, displaying a 
second level graph representing the non-security devices in the group 
and the security devices in association with the group (the second level 
graph is disclosed at figure 2), the displayed second level graph 
including a plurality of non-security device symbols (figure 2, database of 
signatures) and a plurality of security device symbols (figure 2, firewall 1- 
3) , each non-security device symbol representing one non-security 
device in the group and each security device symbol representing one 
security device in the group; and displaying in conjunction with the 
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second level graph security incident information, including with respect to 
a non-security device symbol an incident volume indicator (figure 2, 
firewall 1 , firewall 2, firewall 3) that indicates a number of network 
sessions whose source or destination is at the non-security device 
(figure 3, 318, 322). 

As to claims 3, 20 and 27, Ptacek et al. teach upon user command with 
respect to a user specified device symbol in the displayed graph, 
displaying data representing network sessions whose source or 
destination is at a device corresponding to the user specified device 
symbol (page 4, 0060, 0061). 

As to claims 4, 21 and 28, Ptacek et al. teach in response to one or 
more user commands, selecting a network session from the displayed 
data, and defining a drop rule that comprises a set of network conditions 
corresponding to the selected network session; wherein the processing 
of security events includes filtering out network sessions that satisfy the 
defined drop rule (0046-0048). 

As to claims 5, 22 and 29, Ptacek et al. teach source and destination 
identifying information, event type information indicating one or more 
types of incidents corresponding to the network sessions, and security 
device information indicating one or more security devices that report 
security events in association with the network sessions (0010-001 1). 
As to claims 6, 23 and 30, Ptacek et al. teach the processing of security 
events including identifying groups of network sessions that together 
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satisfy a security incident identification rule in a group of predefined 
security incident identification rules, and identifying as rule firing network 
sessions each of the network sessions that is a member of any identified 
group of network sessions; wherein each incident volume indicator 
indicates a number of rule firing network sessions whose source or 
destination is at a device corresponding to the device symbol (0046-0068 
and 0099). 

As to claims 7, 24 and 31 , Ptacek et al. teach the processing of security 
events including excluding from the rule firing network sessions any 
network session that satisfies any drop rule in a set of drop rules, each 
drop rule defining a respective set of conditions (0098-0099). 
As to claims 16 and 17, Ptacek et al. teach a method of analyzing 
security events, comprising: receiving and processing security events 
(page 1 , 001 1 ), including grouping the security events into network 
sessions (figure 1 ), each session having an identified source and 
destination (figure 3, 318, 322); 

applying a plurality of predefined security event correlation rules to the 
plurality of network sessions in association with the processed security 
events (0046-0048); for each of a subset of the predefined security event 
correlation rules, identifying network sessions from the plurality of 
network sessions in association with the processed security events, if 
any, that satisfy the rule (0008-0010); 
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displaying a graph representing devices (figure 1) in a network, the 
devices including security devices (firewall) and non-security devices 
(disk array), the displayed graph including a plurality of individual device 
symbols and a plurality of group device symbols (figure 1, 114-1, 114-2, 
114-3...), each individual device symbol representing a security device of 
the network and each group device symbol representing a group of non- 
security devices of the network; and displaying in conjunction with the 
graph security incident information, including with respect to a group 
device symbol an incident volume indicator (figure 1, 114-1, 114-2, 114- 
3...) that indicates a number of network sessions whose source or 
destination is at any member of a group of non-security devices 
corresponding to the group device symbol (page 3, 0032-0038). 

Response to Arguments 
Applicant has argued that Ptacek does not teach or suggest displaying a 
plurality of group device symbols, each group device symbol 
representing a group of non-security devices of a network. However, the 
examiner respectfully disagrees because Ptacek shows plurality of group 
device symbols (figure 1 , SUBNET 1 , SUBNET 2, SUBNET 3 and 
SUBNET 4); each group device symbol represent a group of non- 
security devices of a network (figure 1 , SUBNET 3 comprising a group of 
non security devices such as Host 15, Disk Array). Applicant's attention 
is also directed to page 3, 0031 , cited the communications network 1 
comprises a series of sub-networks (subnet1-subnet4). These subnets 
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typically include groups of network devices... the subnets include different 
types of networks devices... 

Applicant has also argued that Ptacek does not disclose or teach 
displaying security incident information in conjunction with displaying a 
graph of representing devices in network. However, the examiner 
respectfully disagrees because Ptacek teaches the security incident 
information by detecting changes in network usage signatures that 
suggest attack such as self-propagating code at page 3, 0034. 
Applicant argued that Ptacek fails to teach incident volume information 
that indicates a number of network sessions whose source or destination 
is at any member of a group of non-security devices. However, the 
network session SUBNET 3 comprises many members of the group of 
non-security devices such as the source Host 15 and Disk Array. 
Further, Ptacek teaches displaying a network security by disclosed at 
page 3, 0034 plurality of steps of 1) measuring and modeling the 
services or network communication in legitimate use on the network 1 , 
especially during normal operation of the network, or it lifetime; 2) 
detecting changes in network usage signatures that suggest attack such 
as self-propagating network behavior 3) providing access control 
between different compartments or subnets of the network.... 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1 .136(a). 
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A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first 
reply is filed within TWO MONTHS of the mailing date of this final action 
and the advisory action is not mailed until after the end of the THREE- 
MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension 
fee pursuant to 37 CFR 1 .1 36(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for 
reply expire later than SIX MONTHS from the mailing date of this final 
action. 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Mylinh Tran. 
The examiner can normally be reached on Mon - Thu from 7:00AM to 
3:00PM at 571-272-4141. 

If attempts to reach the examiner by telephone are unsuccessful, 
the examiner's supervisor, Weilun Lo, can be reached at 571-272-4847. 

The fax phone numbers for the organization where this application 
or proceeding is assigned are as follows: 

571-273-8300 
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Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either 
Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more 
information about the PAIR system, see http://pair-direct.uspto.gov. 
Should you have questions on access to the Private PAIR system, 
contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Mylinh Tran 
Art Unit 2179 



/Weilun Lo/ 

Supervisory Patent Examiner, Art Unit 2179 



